Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add PCRReset command for tpm2 #268

Merged
merged 1 commit into from
Jan 26, 2022
Merged

Add PCRReset command for tpm2 #268

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions tpm2/constants.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -454,6 +454,7 @@ const (
CmdDictionaryAttackLockReset tpmutil.Command = 0x00000139
CmdDictionaryAttackParameters tpmutil.Command = 0x0000013A
CmdPCREvent tpmutil.Command = 0x0000013C
CmdPCRReset tpmutil.Command = 0x0000013D
CmdSequenceComplete tpmutil.Command = 0x0000013E
CmdStartup tpmutil.Command = 0x00000144
CmdShutdown tpmutil.Command = 0x00000145
Expand Down
33 changes: 33 additions & 0 deletions tpm2/test/tpm2_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1102,6 +1102,39 @@ func TestReadPCR(t *testing.T) {
}
}

func TestPCRReset(t *testing.T) {
rw := openTPM(t)
defer rw.Close()
allZeroBytes := make([]byte, 32)
debugPCR := 16

var fakeHashSum [32]byte
err := PCRExtend(rw, tpmutil.Handle(debugPCR), AlgSHA256, fakeHashSum[:], "")
if err != nil {
t.Fatal(err)
}

pcrVal, err := ReadPCR(rw, debugPCR, AlgSHA256)
if err != nil {
t.Fatal(err)
}
if bytes.Equal(allZeroBytes, pcrVal) {
t.Fatal("PCR shouldn't be all zeros after PCRExtend")
}

err = PCRReset(rw, tpmutil.Handle(debugPCR))
if err != nil {
t.Fatal(err)
}
pcrVal, err = ReadPCR(rw, debugPCR, AlgSHA256)
if err != nil {
t.Fatal(err)
}
if !bytes.Equal(allZeroBytes, pcrVal) {
t.Fatal("PCR should be all zeros after PCRReset")
}
}

func makeAttestationData() AttestationData {
signer := tpmutil.Handle(100)
return AttestationData{
Expand Down
23 changes: 23 additions & 0 deletions tpm2/tpm2.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1930,6 +1930,29 @@ func ReadPCR(rw io.ReadWriter, pcr int, hashAlg Algorithm) ([]byte, error) {
return pcrVal, nil
}

func encodePCRReset(pcr tpmutil.Handle) ([]byte, error) {
ha, err := tpmutil.Pack(pcr)
if err != nil {
return nil, err
}
auth, err := encodeAuthArea(AuthCommand{Session: HandlePasswordSession, Attributes: AttrContinueSession, Auth: EmptyAuth})
if err != nil {
return nil, err
}
return concat(ha, auth)
}

// PCRReset resets the value of the given PCR. Usually, only PCR 16 (Debug) and
// PCR 23 (Application) are resettable on the default locality.
func PCRReset(rw io.ReadWriter, pcr tpmutil.Handle) error {
Cmd, err := encodePCRReset(pcr)
if err != nil {
return err
}
_, err = runCommand(rw, TagSessions, CmdPCRReset, tpmutil.RawBytes(Cmd))
return err
}

// EncryptSymmetric encrypts data using a symmetric key.
//
// WARNING: This command performs low-level cryptographic operations.
Expand Down